ssh default security risc

Giorgos Keramidas keramida at
Fri Feb 4 00:09:06 PST 2005

On 2005-02-03 22:54, Ted Mittelstaedt <tedm at> wrote:
>Giorgos Keramidas wrote:
>>On 2005-02-04 01:04, Gert Cuykens <gert.cuykens at> wrote:
>>> On Fri, 04 Feb 2005 00:05:34 +0000, Chris Hodgins
>>> <chodgins at> wrote:
>>> True but the point is without the ssh root enabled there is
>>> nothing you can do about it to stop them if they change your user
>>> password
>> [...]
>> You may also want to consider than having SSH enabled for root
>> means there is only ONE step at becoming root from any remote
>> location.
>> Having to SSH as a user first, with the right combination of SSH
>> keys and passwords, and then use su(1) with yet another password is
>> at least one more step.
>> Why is the first, 1-step procedure safer than the second?
> I think I'm going to interject a few things here to this discussion,
> which has turned into a rediculous religious argument.
> In answer to your question about a 1-step procedure safer than the
> second, well as a matter of fact there are circumstances when it is.
> For example:
> [snip great advice about securing ssh access]

I was (perhaps not so) obviously referring to "all other things being
equal, allowing ssh access to a plain user is safer than allowing
direct ssh access to root.

All great points, though.  Thanks Ted.

- Giorgos

More information about the freebsd-questions mailing list